Tailscale

Tailscale is a super-simple VPN that is easy to set up, and works well with BYOC satellites. This page documents the required configuration within Tailscale to enable BYOC.

Requirements

Configure a subnet router to provide access to satellites for users on the VPN. This is required because satellites never join a VPN directly, and may change IP/DNS addresses frequently.
Configure Restricted Nameservers (Split DNS) to resolve custom DNS names, as required by your cloud provider.
If you are running Earthly from within a Kubernetes pod, or GHA runner; you may need to make use of the userspace networking mode.
- When using userspace networking, you need to add a Global nameserver to your DNS settings.

Because network configuration can vary wildly across organizations and cloud providers, we've provided some further general guidance below.

AWS

Step-by-step instructions to configure a subnet router in AWS
- If you have multiple cloud installations sharing a single subnet, the single subnet router can be shared.
It is required to add a Split DNS entry for the <aws-region>.compute.internal TLD, because Earthly uses the AWS internal DNS addresses to resolve satellites. To do this:
- Open the DNS page in your Tailscale admin panel, find the "Nameservers" section, and click on "Add Nameserver" -> "Custom".
- In the modal that appears, use:
  - x.x.0.2 as the nameserver address, where x is corresponds to the CIDR block allocated to your VPC.
  - Check the box for "Restrict to domain" to enable Split DNS.
  - Add <aws-region>.compute.internal as the Domain, where <aws-region> corresponds to the region the subnet router is installed in. This option appears once the "Restrict to domain" option is toggled.

PreviousVPN

Last updated 1 year ago

Was this helpful?